2effe116bae12db344d860be05ab14d7f38ea599a7c8bb873477f101d324c5ec | Triage

Submit
Reports

Overview

overview

9

Static

static

7

IvAEGoijbASEGjo.exe

windows10-2004-x64

9

Sharing

General

Target

IvAEGoijbASEGjo.exe
Size

4.8MB
Sample

230205-2y5vmsef2x
MD5

d9b79da11f22ccdb255572afae699563
SHA1

0918ecc9efee1b95d002c5c2884f3108e731c302
SHA256

2effe116bae12db344d860be05ab14d7f38ea599a7c8bb873477f101d324c5ec
SHA512

875711db059d06368c1921ba41fa3cd07b4b376f2badd3a20f2ffa7745b6cb9cd5d738a99baaf107d0f0aaca8ad798ad4ad1d92956f47419690912afab99a20c
SSDEEP

98304:P27dEgmm1/tAE0rlxcFv7gV66KQcwzdHdjEtzGOIkXBfKM:+Cg92E6fRwrkHdMSMRff

Score

9^/10

evasion persistence themida trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

IvAEGoijbASEGjo.exe

Resource

win10v2004-20221111-en

evasion persistence themida trojan vmprotect

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Targets

- Target
  
  IvAEGoijbASEGjo.exe
- Size
  
  4.8MB
- MD5
  
  d9b79da11f22ccdb255572afae699563
- SHA1
  
  0918ecc9efee1b95d002c5c2884f3108e731c302
- SHA256
  
  2effe116bae12db344d860be05ab14d7f38ea599a7c8bb873477f101d324c5ec
- SHA512
  
  875711db059d06368c1921ba41fa3cd07b4b376f2badd3a20f2ffa7745b6cb9cd5d738a99baaf107d0f0aaca8ad798ad4ad1d92956f47419690912afab99a20c
- SSDEEP
  
  98304:P27dEgmm1/tAE0rlxcFv7gV66KQcwzdHdjEtzGOIkXBfKM:+Cg92E6fRwrkHdMSMRff
Score

9^/10

evasion persistence themida trojan vmprotect
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

evasionpersistencethemidatrojanvmprotect

© 2018-2024

Terms | Privacy